Facebook knows everything about you
A chronic disease, political preference or major financial decisions: expect Facebook to know about this. Whoever responds to an ad might be sharing this information without knowing it. What does Facebook know? Read our suggestions to protect privacy-sensitive data.
Bert Quist , Expert Geld & Privacy Gepubliceerd op:11 juli 2017
Lees je liever in het Nederlands? Ga dan naar ons Nederlandstalig artikel.
What does Facebook know?
To find out which interests Facebook has attached to your profile, in Facebook go to ‘Settings’ and then ‘Ads’. Click on ‘Interests’ to see all the subjects Facebook believes might interest you. A number of images have been added to each subject. In the top right-hand corner, click on the image above the cross to remove the interests in question. Also click on ‘More’ on the right-hand side, where you will usually find even more subjects.
During our investigation, we found interests do not always make sense. For example ‘sushi’ for someone who in fact never fancied it. And what about Facebooker Marion Schoots – who responded to our ad on cancer and mortgages (see alongside). She says she does not have cancer, feeling upset about Facebook suggesting otherwise. “They went about without me even knowing. Having a serious disease like that, at least I would have to give permission.”
Cancer, a life-changing event, a new relationship, a hereditary disorder, gay meeting points, messianic Jews, Fethullah Gülen, anonymous gamblers: these are just some of the predefined options Facebook advertisers may focus on. It is not the user, but rather Facebook that determines your ‘interests’ and features. Facebook does this by analysing your account information provided by its subsidiary WhatsApp. But also by analysing your clicks, likes and shares, and the websites that you visit. Even if you are not on Facebook simultaneously.
Whether you are sharing everything with everyone on Facebook, with friends only, or with nobody, advertisers are perfectly able to access, use and save private information. Unless you study your settings carefully.
Cancer: no longer a private matter
'My husband died of cancer,” answered Pit Hienekamp when we asked her why Facebook claims she is interested in this disease. “Both our children have had cancer,” says Jenney Nieman. We found out that according to Facebook they were interested in “cancer” after we advertised on Facebook ourselves. Our ad consisted of a video message inviting Facebookers to join a study for this article. We addressed people who were supposedly interested in ‘mortgages’ as well as ‘cancer’.
We made it perfectly clear our message was meant for those who are somehow ‘into’ mortgages. We deliberately did not mention the fact that we also selected people whose interests include cancer. This is exactly how advertisers with ill intentions and malicious parties will go about this. Of all those who responded to our message, we knew not only that according to Facebook they were ‘into’ mortgages, but also into ‘cancer’. Participants had shared this other, obviously most privacy-sensitive ‘interest’, without knowing it.
'Any private information that you do not share on Facebook, advertisers can access nevertheless.'
Facebook places a tiny arrow in the top right-hand corner of ads. Provided you click on it, you will see the option that says 'Why am I seeing this ad?” Facebook will then sum up no more than two selection criteria, like the fact that the advertiser wants to reach adults (18 and beyond) living across the Netherlands. Unfortunately, Facebook does not show all selection criteria, which might seriously affect users’ privacy. “It’s not an exhaustive list. In fact it is the tip of the iceberg,” says one of Facebook’s spokespersons. “We share only two of them, to keep things somewhat manageable.'
Excluding sick people
Whoever responds to an ad whereby the advertiser has selected his audience based on all kinds of privacy-sensitive criteria, might unintentionally expose sensitive interests and features as well. Like someone responding to a healthcare or life insurance revealing that he has a chronic disease (as an ‘interest’). We tried this ourselves, using a video message to invite people who according to Facebook were interested in life insurances. We deliberately did not mention the fact that whoever replied, would confirm that according to Facebook he is ‘interested’ in chronic diseases as well.
Hannelore Versloot-Alting is one of the Facebookers who accepted our invitation. We confronted her, telling her that according to Facebook she is also interested in chronic diseases. She told us she has a rheumatic disease, Ankylosing spondylitis. To us this is yet another confirmation that the interests Facebook links to its users usually make sense. To advertisers, this is an interesting detail: they can save on marketing expenses on the one hand by advertising purposefully, and on the other hand they can make sure to address clients who bring in more and cost less. Because on Facebook you can also show ads to people who do not have a specific feature or interest. This is convenient for e.g. insurance companies wanting to focus on healthy prospective clients, and who preferably do not want to share their ads with the chronically ill. Univé has been taking things a step further by sharing its customer database with Facebook: 'Univé is creating a target group by uploading its members’ email addresses onto this advertising tool by Facebook. This group can then be approached through a specific advertising campaign or in fact be excluded from it.'
'Cancer, gay meeting points, Jews: these are some of the predefined options Facebook advertisers may focus on…'
'Yes I voted for GroenLinks (the Green party in The Netherlands). And no, I had no idea you had selected me because of that,' a broadcast employee commented on our Facebook ad. It was a video message to people working at the Media Park in Hilversum. She herself happens to advertise on Facebook on behalf of her employer, and only recently she addressed homosexual Dutch citizens specifically for a TV show. 'But I’d rather not see this information about my employer being put out there.' This is why we will not mention any names. Advertisers addressing homosexuals in particular or excluding them is basically a no-go area after a reprimand from the Dutch Data Protection Authority. But after placing an ad dedicated to homosexuals who speak Dutch and who are living in the US, a few responded immediately. 'Indirectly you can still include or exclude gay people in the Netherlands,” adds this broadcast employee to our findings. “We selected them based on specific Facebook groups that they had joined.'
Protect privacy-sensitive data
- In Facebook, go to Settings > Ads, and click on ‘Your interests’ (in case you’re using a mobile device, first go to ‘Account settings’.
- In Facebook, go to Settings > Ads, and click on ‘Your information. Under ‘About you’ and ‘Your categories’ disable all the information you do not want advertisers to access.
- In Facebook, go to Settings > Ads, and click on ‘Ad settings’. Turn ‘Off’ the option that says ‘Show ads based on online interests’. Also disable the option that says ‘View adds based on my Facebook ad preferences in apps and on websites off Facebook companies.’
- Install an ‘adblocker’, disallowing Facebook Pixel from appearing secretly on websites. Facebook will then have a hard time keeping track of the websites that you are visiting in addition to Facebook.
- Make sure Facebook cannot track down your location (search in google for ‘Disable Location Services for Facebook’), to make sure advertisers cannot access this information.
- Create an email address for Facebook only.
- Do not respond to Facebook ads.
- Go to www.youronlinechoices.com, click on ‘Your settings;’ and disable Facebook.
‘Judaism’ is yet another ‘interest’ Facebook advertisers may select. Facebookers whom we selected based on the ‘Judaism’ criterion, told us on the phone they were going to remove this interest from their Facebook profile. Either because they wanted to keep their background to themselves, or because they were not Jewish to begin with, like Thera Stakenburg. “I think Facebook has linked this interest to my profile because recently. I liked a page on Lidice. I’ll make sure to remove this interest. I don’t want to be targeted because of it.
Facebook follows everything
Facebook is pretty much everywhere. Literally, because it is hard finding website content that does not come from it. A good example is ‘Facebook Pixel’: a website plugin invisible to the naked eye. Those viewing websites with Facebook Pixel, will automatically visit Facebook.com as well. Facebook will save their visits and share the information with advertisers, even if at that moment they are not logged into Facebook. Because of a tiny file on your computer (‘cookie’) which Facebook can open and read, you are visible anyway. This helps advertisers focus on those who have (or haven’t) visited their websites. It perfectly explains why for a long time you will continue to receive product ads after visiting a website that is selling products.
Smart companies will make sure existing customers no longer get to see their ads. Facebook makes this possible, by inviting these companies to share parts of their customer databases. Facebook will compare email addresses or cell phone numbers to those of its own users, creating a special group called ‘Custom Audience’ with those who ‘match’. On Facebook, advertisers may display ads exclusively to existing customers, or exclude them instead. Sharing customer data with Facebook is actually punishable in case the customers in question did not provide their details for this purpose. Organisations ‘reporting’ on their websites that they will be sharing customer data with Facebook include insurance company Univé, the political party ChristenUnie and KLM ('we might share your email address or any other identifying data to help Facebook verify whether you have a Facebook account.')
The risk is that companies can expand (enrich) their customer database with a wealth of privacy-sensitive data. For example: a company sharing a Facebook ad with people who already are a customer and who have a specific disease as an ‘interest’. Customers who respond to this ad, will unintentionally let the company know that they are interested in this disease. The company can repeat this process for all kinds of interests, features and behaviours, just as long as it takes until it has a customer database brimming with specific and privacy-sensitive customer profiles. Today Facebook will sometimes get it all wrong but the more (‘big’) data it collects over time, the more accurate its users’ profiles will be. A frightening thought.
Facebook will sell data to whoever pays
'People often say they have nothing to hide whenever I tell them I’m investigating our privacy. So I ask them whether they would be willing to email me their medical files or tax returns. But when it comes to Facebook, something else is going on. Most people don’t even know what they might want to hide, because Facebook itself is putting together their privacy-sensitive data. Facebook will sell these data to whoever is willing to pay. Starting from a few cents, anyone can access this personal information, even if you are not running a company. I tried this myself during my investigation. I was overwhelmed by people confirming that the privacy-sensitive data I had received were actually correct. Many of them did not even know Facebook had collected this information. I had 'targeted' people based on the features they knew they were being selected for. Facebook must undo this privacy leak without delay, because it can have some really bad consequences for its users.'
Nieuw & interessant
- 9 jun.Wat zijn de gevaren van datalekken, wat kun je doen om het lekken van jouw gegevens te voorkomen en wat moet je doen als je data wel is gelekt?
- 7 jun.Bij 3 van de 12 datingsites - Inner Circle, Pepper en Relatieplanet - kunnen hackers te gemakkelijk gebruikersnamen en wachtwoorden raden.
- Nieuws | 19 mei.Het nieuwe kabinet moet serieus werk maken van de Algemene Verordening Gegevensbescherming (AVG). De wet wordt slecht nageleefd, beschermt kinderen onvoldoende en handhaving ontbreekt.
- 5 mrt.Ook bijna 3 jaar na invoering van de AVG plaatst de helft van de websites nog steeds cookies zonder toestemming, of stuurt je richting ‘alles accepteren’. Dit blijkt uit een cookiescan die we in januari uitvoerden bij 100 populaire sites.